This is a security bugfix release, no new features since 3.4.4 were added.
Changelog
Compared to the latest release 3.4.4, the following changes and bugfixes were added.
Security fixes
Security fix for CVE-2024-5165
The Eclipse Ditto’s Web-UI, the Explorer User Interface, was vulnerable
to Cross-Site Scripting (XSS) at multiple input fields.
Affected versions are all Ditto-UI versions starting from when the Ditto-UI was introduced, with Ditto
3.0.0.
This is tracked through CVE https://nvd.nist.gov/vuln/detail/CVE-2024-5165.
The issue was detected and reported by Manuel Sommer and
Quirin Zießler and disclosed via the
Eclipse Vulnerability Reporting process.
We like to thank them for the detection and the effort of reporting the affected input fields.
For any users of Eclipse Ditto who deployed also the Ditto Web-UI, we recommend updating the Web-UI.
If the Web-UI is not deployed, no action to update is needed, as the Ditto backend is not affected.